[00:32] <karlthane> Hello, trying to help test. Downloaded the current daily iso for 19.10, not giving option to install to zfs in installer. Is there something special I have to do. Sorry if this is wrong channel.
[01:01] <valorie> karlthane: try #ubuntu+1
=== CarlFK1 is now known as CarlFK
=== CarlFK1 is now known as CarlFK
[10:35] <caribou> Hello, I'm preparing an SRU upload of systemd for LP: #1805183. Anybody has something inflight on systemd ?
[10:35] <ubottu> Launchpad bug 1805183 in systemd (Ubuntu Bionic) "systemd-resolved constantly restarts on Bionic upgraded from Xenial" [Medium,In progress] https://launchpad.net/bugs/1805183
[14:01] <tomreyn> gnupg2 (as well as gnupg, i.e. v1) in bionic fails to handle keys without user ids, as provided by the (only, as far as i know) key spam safe openpgp server keys.openpgp.org, which most applications now default to.
[14:01] <tomreyn> so it's not currently possible to use a safe keyserver in bionic, from what i can tell.
[14:01] <tomreyn> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930665
[14:01] <ubottu> Debian bug 930665 in gpg "gpg won't import valid self-signatures if no user ids are present in imported transferable public key" [Important,Fixed]
[14:13] <TJ-> tomreyn: I find that vulnerabilty useful... as I have multiple IDs if the same email arrives for multiple IDs it gets deleted instantly by procmail
[14:18] <tomreyn> TJ-: well, that's not so useful to me ;)
[14:22] <TJ-> hehehe
[14:22] <TJ-> tomreyn: so is it no longer possible to search by userid to find a key?
[14:23] <TJ-> tomreyn: hmm, is that keyserver not connected to the pool? it doesn't find my key
[14:35] <tomreyn> TJ-: it is not connected to the SKS pool. are you aware of the signature spamming issues?
[14:36] <tomreyn> i just filed bug 1844055 about the above.
[14:36] <ubottu> bug 1844055 in gnupg2 (Ubuntu) "Importing public key from keys.openpgp.org fails with "no user ID" " [Undecided,New] https://launchpad.net/bugs/1844055
[14:38] <TJ-> tomreyn: you mean the email addresses being harvested for spam? Yes, seen it for a long time which is why I have procmail rules to block it
[14:39] <TJ-> tomreyn: hashes the subject and counts for all IDs in the keys
[15:03] <tomreyn> TJ-: no, i don't mean e-mail addresses harvested for spam. i mean the issue known as (variants of) OpenPGP certificate (key signature) flooding / spam. I added more context to the bug report now.
[15:09] <TJ-> tomreyn: ahhh, thanks, so adding lots of signatures to a key as a DoS because clients cannot cope with the quantity?
[15:12] <tomreyn> TJ-: yes, this sums up CVE-2019-13050, mitigation of which got deferred https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html
[15:12] <ubottu> Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050)
[15:15] <TJ-> tomreyn: reading about the unmaintained 'toy' SKS software and the fact 2 key devs of openpgp have known about this for 10 years... I dispair!
[15:15] <TJ-> I despair, too!
[15:25] <tomreyn> yes, it's overall a sad situation. :/
[15:27] <TJ-> the argument 'no-one can understand the code' is a poor one though; that is always possible if sufficient time is applied
[15:37] <tomreyn> i wouldn't personally claim to be able to do so, not now, nor anytime soon. but certainly time, accompanied by other resources, such as knowledge and experience, money, could. the argument resting within this, that infrastructurally important or at least relevant software should be written in a widely understood programming language, accompanied by good documentation. (this said, i'm very grateful to kfiskerstrand and other contributors to
[15:37] <tomreyn> the SKS keyserver code and network over the years.)
[15:38] <tomreyn> s/within this , that/within this is that/
[15:38] <tomreyn> and we should move to -discuss.
[17:49] <karlthane> @valorie Thank You
[17:49] <udevbot> Error: "valorie" is not a valid command.
[17:49] <karlthane> valorie Thank you.
[17:59] <Eickmeyer> cyphermox: Still no movement on bug 184319?
[17:59] <ubottu> bug 184319 in GetDeb Software Portal "Update Package: alarm-clock 0.5" [Wishlist,Fix released] https://launchpad.net/bugs/184319
[17:59] <Eickmeyer> Oh, wrong bug...
[18:00] <Eickmeyer> cyphermox: bug 1843196
[18:00] <ubottu> bug 1843196 in ubiquity-slideshow-ubuntu (Ubuntu) "[Merge Request] Updated Ubuntu Studio Slideshow" [Undecided,New] https://launchpad.net/bugs/1843196